Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IronMan
New Contributor III

Fortigate dual internet & policy routes question

I have a Fortigate and configured 2 interfaces that connect to 2 different ISPs.

 

Interface 9 - ISP A

Interface 10 - ISP B

 

Basically, I would like all computers to use interface 9, except for a selected few that will use interface 10.

 

Interface 10 is configured with a DHCP, and I've been told that because of this, Interface 10 becomes the default route. To fix this, I created a Policy Route so that all traffic goes to Interface 9. Then I created another  Policy Route to make the selected few computers to use Interface 10. This all works perfectly fine.

 

My question is: If interface 9 goes down, will the computers automatically use Interface 10?

 

I don't want it to use interface 10, I want the computers to just not have any internet access at all if interface 9 is down. (sounds odd but there's a reason for that). I am unable to test this out now, hence this question.

 

 

 

 

 

 

 

 

1 Solution
seshuganesh
Staff
Staff

ideally even if ISP is down like if internet is not working, there is no way firewall can detect that connectibity issue unless you configure link monitor.

So if you dont configure link monitor your configuration and "enable update static route" option in the link monitor configuration, firewall should still pass the packet through the down interface.

Please check

View solution in original post

3 REPLIES 3
antholux
New Contributor

Hello, 

Why not try to use SD-WAN feature with better priority for interface 9 ? 

srajeswaran
Staff
Staff

I think you can create a negate policy from your LAN/Computers to port10. With this you can allow access only to the selected computers/usres.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-Policy-Negate-option/ta-p/194290

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

seshuganesh
Staff
Staff

ideally even if ISP is down like if internet is not working, there is no way firewall can detect that connectibity issue unless you configure link monitor.

So if you dont configure link monitor your configuration and "enable update static route" option in the link monitor configuration, firewall should still pass the packet through the down interface.

Please check

Top Kudoed Authors